As many banks have scaled back branch networks, automated teller machines have become essential pillars of the financial services infrastructure. But that autonomy has also made ATMs attractive targets for hacking, exploitation, and physical breach.
ATM “jackpotting” combines these tactics. Criminals gain access to a machine’s cabinet—often using widely available generic keys—then either inject malware into the existing system or swap the hard drive for an infected one. Once installed, the malware enables bad actors to force the machine to dispensing cash on command.
While the technique itself isn’t new, the Federal Bureau of Investigation recently warned that incidents are rising, citing more than 700 reported cases last year resulting in roughly $12 million in losses.
“The resurgence in ATM jackpotting in the U.S. just reiterates the adage: ‘Everything old is new again,’” said Tracy Goldberg, Director of Cybersecurity at Javelin Strategy & Research. “ATM jackpotting became popular back in the early 2000s when IBM retired OS/2, the operating system used by ATMs worldwide.”
“With that operating system retirement, ATMs migrated to Windows,” she said. “That opened the floodgates for attackers, as vulnerabilities in Windows OS were easily exploited, either through an attack against the network or via a physical attack that involved locally installing malware via a thumb drive. Like any connected device running common software, ATMs must be regularly scanned and software-updated.”
On All Fronts
This fraud trend adds another layer of complexity for financial institutions already contending with relentless attacks. Many schemes focus on account takeover or social engineering, pressuring customers to sending payments or act as money mules.
Jackpotting highlights a parallel and troubling shift: criminals are using advanced technology to attack banks’ systems directly. Sophisticated malware, similar in capability to tools deployed in ransomware attacks, can disrupt operations at scale.
Recent incidents illustrate the stakes. An attack on payments provider BridgePay knocked systems offline and left customers without service for weeks.
Pervasive Threats
All these technology threats are supercharging the capabilities of already-impactful fraud groups.
“This latest report does not highlight what new techniques or tactics attackers are using in their latest ATM-jackpotting sprees, but I suspect the same techniques that proved fruitful more than 20 years ago are proving fruitful today—a socially engineered attack waged against an admin with rights and privileges allows access to the ATM or the physical ATM is compromised by criminals feigning to be employees or maintenance,” Goldberg said.
“Vigilance, as always, that is based on a model of zero-trust is the best way organizations can secure their networks and all of the devices—including ATMs—connected to them,” she said.